1) Attending Information Security Conferences Made A Huge Impact on My Own Career. 

While attending my first information security conferences, DefCon 5 (at the old Aladdin) and RSA 1997 (where it rained all week), I learned very quickly that information security professionals were an accepting bunch.  Although I was a recruiter (or “job whore”/”talent pimp”- as some called me) I found that as long as I had something meaningful to say or a unique perspective to share, that most of the attendees would include me in their conversations.  Being included in these discussions and “allowing” me to ask questions and listen to the responses (without ridicule), provided me with the foundation for my professional education.  Still to this very day, I often reference these experiences when training new employees for my team, or speaking with information security professionals about the value of opening themselves up to new professional relationships.

2) Some of the most important personal relationships I have made in my life happened because of information security conferences.

At that first DefCon, I was briefly introduced to a sharp guy, who was very smart and quite blunt.  In traditional “hacker” style, he was skeptical of my motivations, and may have actually introduced me to the term “talent pimp.”  During the following years, we ran into each other at other DefCon’s.   The conversations were never long, but we always acknowledged each other.  He then became an employee at one of my clients, and we got to know each other better personally. After the company he worked at was sold, I was able to help him locate a good position at a company. Through that  process, we became friends.    It is now fifteen years later, and I consider him family.  In no other universe would our worlds have collided, but thanks to this industry, in Ralph Logan, I have a “brother” whom I can count on for anything.

In addition to this, I met Mike Murray, the co-founder of Infosecleaders, in an elevator at the Mirage, and as we walked over to Black Hat.  Through our friendship, (and Infosecleaders), Mike has taught me many things and has opened up my mind and challenged me on my thought processes.  ( Mike, I hope that I have done the same) Although Mike and I could not have more opposite work styles and competencies, information security events have brought together our passions of helping people, and for this I could not be more thankful.

Finally, and most important, if it was not for Information Security conferences, I may have not met my wife Michele.   In 1997 on my way back from RSA, I met a woman named Nicole Schmidt, who was the CIBC information security analyst, on my flight home.  We struck up a conversation and exchanged numbers, and became friends.  Seven years later, Nicole made a suggestion that I go on a date with her best friend Michele.   Michele and I have been married for five years.  We have a son, Brodie, who will turn 4 tomorrow.   I am also known as “Uncle Lee” to Nicole’s little boy, Lucca.

3) In the end, the only thing that matters is “people”.

In the wake of the messages I saw on Sunday while checking my Twitter stream, the only thought racing through my mind was “what about the people.”   The first “people” that I thought of were the organizers of B-Sides.  I know Mike Dahn since he trusted me with his career about 8 years ago, and we have been friendly ever since.  I know that B-Sides is run by members of the community, so I could only think of how all of the effort and energy of the volunteers could possibly go to waste, and that they may be facing a huge bill due to previously made financial commitments  (as a business owner, I know some things about event contracts) .

My mind then jumped to all of the information security professionals that I know who are big fans of B-Sides and have made plans to come to the event.  My assumption is that most of the B-Sides attendees are coming to try to better their careers – either through learning or networking.    I also assume that the reason they choose B-Sides is the price – and due to the fact that their employers do not have ample training budgets.    I assume that many have already taken vacation days and personally incurred the cost of travel.   The thought of all of their plans being ruined, and their money lost, was not acceptable to me, and did not sit right.

When I got home, I called Mike and texted, I asked him how much money he needed to insure that the event would take place.   The amount that he provided me was manageable.  Knowing that Infosecleaders.com does not and has never had any involvement with the RSA Conference, I knew that I was in a position to help without any impediments or restrictions.

Over the last 24 hours, I have been blown away by the reaction, the e-mails, and the tweets.  My only response to this is that I do not feel that I deserve any additional accolades.  I believe that I only did what any other member of our community would have done, if they had the financial resources at their disposal.  Having the opportunity to give back to our community and provide for others, is a “mitzvah” and a blessing.

It is with great pride that I consider myself a member of the information security community, and to have had the privilege of being associated with such a great collection of talent, personality, and passion.

Looking forward to seeing everyone at B-Sides.

Lee Kushner

About six months ago, I accepted an information security position that was presented to me with a 20-25% travel requirement.   I felt that the position was a good match for me, as I would be able to use some of my past skills, and pick up some new experience in security technologies that included GRC and SIEM tools.

For the first three months of my new position, the travel requirement held true.  I was traveling on average about five days away from home per month.  In addition, a good bulk of the travel was geared toward attending training on the newer technologies.   All was good.

However, in month four my new company won a large engagement to help a Fortune 500 client implement some of these new tools.  The location is about two hours away from my home, so given the work hours it is impossible to commute on a regular basis.   I find myself staying away from home – a minimum of three days a week – or about 60-70% of the time.

I reminded my manager who hired me about the discussion we had about the travel requirements and his response was less than satisfying.  He told me that this was the only client that I could be placed on, and that if I did not want to travel – that I could commute, if I desired.

The long and short of it, is that although I like learning the new skills, I feel that I was lied to.  Technically, they may be correct, and I do not have to “travel”, but in essence I feel they misrepresented the opportunity.

Being on the road for extensive time periods takes me away from my family, lessens my quality of life, and just does not work for me.

Any suggestions would be appreciated.

Signed,

Willie Nelson

Dear Willie –

The best advice that I can give you is to use the job to pick up as many skills as possible, and begin to plan your exit strategy.   The fact is that if you are building information security skills in the areas of GRC and SIEM technology, you are developing experience that has external market value that can serve as your parachute to new opportunity.

I will tell you (and others who are reading) that a big mistake for anyone going into a professional services environment or consulting environment is the illusions that you can limit your travel to less than 50% or that you can control the location of your future customers.    The only exception to this would be is your consulting position enables you to do a bulk of your work remotely  – like penetration testing.

The nature of the professional services business is client service.  Clients dictate the engagements and they dictate the requirements.  Your main value to your employer is your utilization and chargeability.   In the end, if you are restricted in your ability to travel, and this is the only work where you can be utilized, you are placing yourself in an unsustainable situation, which will not end happily.

Getting back to your situation Willie, I think that your manager reaction is the real indicator of the company’s attitude about your request to reduce your travel.   From what you have shared this is not a battle that you can win.

In the end, when accepting a new position it is essential that you understand all of the requirements that can effect your quality of life – commute, travel, compensation, work hours – and the personal sacrifices you are willing to undertake in order to perform the position requirements correctly.

Hope this helps,

Lee Kushner

The other day I learned that my information security program will be going through a reorganization. 

The good news is that as a result, I am receiving increased responsibility, visibility and exposure.  The bad news is that I am getting more work, more headaches, and I am not receiving any additional compensation.   

Needless to say, I am angry.

I really like my employer, but I consistently fight battles with management and human resources about my compensation.   Last year I received an “over market” increase (according to HR), which from my perspective was underwhelming, and did not reflect may contributions.    When I brought them “data” about compensation, they dismissed it.

Here I am again.  The pattern is repeating itself.   I am planning on putting my thoughts down in writing, in  a very direct letter to both may management and human resources, documenting and reflecting my feelings.

Do you approve of this approach?

Sincerely,

“Caesar Chavez”

Dear Caesar:

Before you decide to put your thoughts down in paper or in an e-mail, you need to ask yourself, “How good of a writer am I?”  By writing a note, your thoughts are going to be contained forever, and can always be referenced.  If your note takes an angry tone,  it can be viewed as a line in the sand to your current manager and employer, and it can force an action – which may or may not be worth the risk.

Personally, I believe that you should express your opinions verbally, in a meeting setting with both your manager and human resources present.  I think that you should set the tone of the meeting, by first letting them know that you appreciate their recognition of your contributions, by providing you with additional responsibility.

Once this point is conveyed, you should let them know that your expectation would be that once your prove yourself in this new capacity, that you be compensated commensurate with others across the organization who hold the same titles and responsibility.   During this meeting, you should ask your manager to establish specific metrics on how your performance will be evaluated.  In front of HR, you should ask for a follow up meeting so that these can be reviewed, and set up a timetable for an initial review (6 months may be ample time).  In these 6 months, you should work your butt off, to overachieve, to show them that they made the correct choice in giving you this opportunity.

By handling it this way, you are demonstrating maturity in your approach.  It is a common mistake for people to ask for money once given an “opportunity”, but the fact is that the extra money is earned once you prove that you can perform at this newly elevated level.

When the review cycle comes around, one of two things will happen – you will either be happy with you new position and increase, or your will be polishing off your resume, looking for an employer that appreciates your experience and newly learned skills.

Hope this helps,

Lee and Mike

For the past couple of years Mike and I have written about information security career topics and spoken about the importance of leadership, in all forms.  One of the things that we have suggested in many of our posts, has been to find opportunities to demonstrate leadership outside of the work environment.

Recently, I have decided to follow my advice, and take a leadership role in the origination of a charity event that blends a number of things that I am passionate about:  Children, Community, and Athletics.

For the past three years I have been playing in an over-35 fast pitch softball league, called MVP Softball, where I play on the Central Jersey Trees.  About a year ago, we began discussing the concept of joining together and putting together a softball charity event that could benefit needy, local families and children in  our community.

After agreeing on the idea, we began thinking about charities that we could support that could accomplish our mission.    In the end, we decided upon two charities – the Monmouth County Challenger Leagues  (Freehold and CYSP of Lincroft) and The Chariot Riders.

Here is a brief synopsis -  The Challenger Sports Programs are designed to provide sports programs and activities for children who are both physically and mentally challenged.  The local challenger programs participate in sports that include baseball, basketball, soccer, tennis, golf, and cheer leading.

The Chariot Riders program provides therapeutic horseback riding for physically and mentally challenged children and adults to improve the quality of their physical, emotional, mental and social well-being.

After selecting our charities, we partnered with a local volunteer organization named Play2Win Foundation, who has a mission statement that aligns with our event.  Play2Win is a 5013c entity, and takes absolutely no money in administrative fees.  They have been instrumental in providing us with the infrastructure and operational help to pull the event together.

The Event itself is titled the Extrainnings Classic.   The event has 4 key components -

1) A 100 inning marathon softball game -

2) A Youth Skills Competition Called “The Baseball/Softball Olympics” – where children of all abilities, including the Challenger Athletes, will compete side by side in a series of baseball/softball skills challenges – in hitting, running, and throwing events.  We received sponsorship from a local baseball facility to help with the operations and the coaching.

3) The Challenger Baseball Exhibition – both of the Challenger Leagues will participate in an hour long exhibition that showcases the abilities of these special athletes.  The game will be the showcase of the event.

4) The Home Run Derby – where some of the leagues big hitters will test their skills in a “All-Star” Game style Home Run Derby - as a point of note – I have been installed as the morning line favorite.

The main purpose behind this blog entry is to ask for your help in supporting these events.  Personally, I have made it a goal of mine to raise up to $5000 for the event – and the only way that I can accomplish this is with your support.

I would like to ask anyone who received some good, useful advice from the blog or from our research to help me support these great causes, and pledge a donation – per inning of the softball game.  (Very similar to sponsoring someone per mile for a marathon or bicycle race)

F0r example;

$1 per inning = $100

$.50 per inning = $50

$.25 per inning = $25

$.10 per inning $10

My goal is to raise $2500 in contributions, and then I will write a matching check to the charities for any amount that is donated.

All donations are tax deductible to the fullest extent allowed by law – (disclaimer – I am not an accountant).

Donations can be made by clicking on my donation page on the Extrainnings Classic website, through either a CC or PayPal account.   If you would prefer, you could always write a check to Play2Win Foundation, and mail it to my office at 36 West Main Street, Suite 302, Freehold NJ 07728.

I really appreciate any support that you can provide for these worthy charities, the families, and most importantly the children.

Thank you for listening,

Lee Kushner

Central Jersey Trees, 1st Base, #33

Again, the survey is independent and open to any and all information security professionals, at any stage of their infosec career.   All opinions are welcomed – whether you hold information security certifications or do not.

We are hoping that our readers will continue to promote the survey to their peers, on their blogs, twitter feeds,podcast,  and mailing lists – so that we can provide as much relevant data as possible, when we reveal the results around Black Hat.

If anyone would like an interview, podcast, or additional information, please contact either Mike mmurray@infosecleaders.comm  or me lee@infosecleaders.com

Thanks for your continued support,

Lee and Mike

It appears that my work life and my home life have officially collided.  

I am an information security professional by trade and have been working in my field for close to 8 years.   I am also happily married, we have a daughter – and have a very good relationship with my spouse, who also has a career.  I am a little further advanced in my career than my spouse is – however my spouse has more traditional education. 

My issue is this, I have been offered an external opportunity that really moves me closer to my long term career goal as a CISO, and my spouse does not want me to take the job.   The reason given is that my spouse believes that I will be required to work more hours, travel a little more (about 10%), and have more stress.   

My spouse’s lack of support is a very big setback.

I know that the opportunity is not without downside risk, but it is the job that I need to advance my career and it is with a company that I feel very good about joining.  The job does pay more money – but it does require more time and sacrifice.  I do not think that this is a once in a lifetime opportunity –but I do believe it is a real career accelerator.

Can you help me convince my spouse to support my decision?

Sincerely,

“Two Worlds Colliding”

Dear TWC:

This is the first time that we have been called on for some marriage therapy – so please understand that we do not claim to be experts in this area.   

Our initial thought is very simple; it is much easier to find a good information security opportunity, than it is to find a good life partner/spouse.

This being said, I think that your question lies in the extent of sacrifice that you are willing to take to achieve your long term career goals.  It is clear that you personally understand what is necessary to be successful in your career pursuits and are willing to go after them, however your spouse does not seem to share your willingness to sacrifice.

What you may or may not realize that in a committed relationsip, sacrifice is shared and collective.

One thing that you mentioned is that your spouse also has a career, and just like your career is valuable to you – your spouse’s career is valuable to them.  Your spouse may think that the extra commitment that you have in your role, may detract from their ability to maximize their career goals and aspirations.  It could also be that they feel that you will have additional responsibilities – and the burden of the home front will fall on their shoulders.

The problem that you are dealing with is a situation that many dual income families have to deal with, when they are balancing both of their careers and their parental and marital responsibilities.  

The best advice that we can give you is to talk things through with your spouse and appeal to them on a very personal  level and explain to them why the job is important and critical.  You may also provide your spouse with some recourse if the job does change your home life, and commit that you will find another role if this new position affects your relationship with each other and your child.  

In the end, if your spouse objects strongly, and provides you with logic that you can live with, then I would respect their opinion, and turn down the opportunity.  However, before you do, you should ask your spouse to provide you with acceptable criteria that you can apply to a future job search.

This way, you will have their buy in and support from the beginning.

 Hope this helps,

 Mike and Lee

Let us know what you think.  Follow up questions can be answered on Career Advice Tuesday.

Lee and Mike

This week’s Career Advice Tuesday is going to serve as a formal announcement for our recently launched InfoSecLeaders Certification Survey.

Over the past two years as we have been answering questions, giving career centric presentations, writing articles, and doing podcasts, the one topic that just will not go away is “The Value of Certifications.”  

Many information security professionals have different views on the topic – some are completely anti-certification and some will do anything in their power to acquire more letters to place after their names.  Some hiring managers look at certifications as validation of skill, where some hiring managers completely overlook certifications, and focus solely on work experience and formal education.

Plain and simple, we thought it was about time to collect some heterogeneous data on this topic, to provide some real information to the information security community, on how you, the Information Security Professional feel about Certifications.

As always our survey is open to all information security professionals and is hosted on Surveymonkey.   Anyone who responds to the survey will have the ability to receive the final results when they are released, by submitting an e-mail address.  As always, the e-mail address is unrelated to the data that has been inserted – so your responses are not linked – the survey is anonymous.

Some other facts about the survey:

Participants – The survey is open to all Information Security Professionals.  Whether you hold security certifications or do not, your opinions are welcomed and appreciated.

Time Frame: The survey was launched at RSA , and will run until around July 1.

Duration – Probably about 10 minutes to complete

Survey Topics – Background, Are You Certified, Opinions and  Motivations for Certification,  Certifications as Career Investments, Certifications and the Hiring Process, Value of Certifications in Comparison to other Skills

Results - We are planning to announce the results around the time of Black Hat and DefCon.  We will submit a presentation to both conferences about the results.

Sponsorship -As always, none.  This survey is not sponsored by any one trade organization, magazine, membership organization, or product/services venue.   This is the creation of Infosecleaders.

Promotion - We will be promoting the survey by all means necessary in attempts to collect the most number of responses.   We will agree to any and all interview and pod cast requests.  We will promote this on our blog, mailing lists,  our Twitter feed, social media, mailing lists, or any other related forms.  We will enlist the help of all career minded security media partners to help create awareness.

In addition, we will be reaching out to all major industry associations, membership groups, and certification bodies to promote the survey to their memberships.   We are hopeful that they will support this research effort – however it is our experience that most (definitely not all)  will elect  not do so, unless they have control.  (One of the reasons behind our desire to create the survey) Nonetheless, we will ask them. 

We Need Your Help:   Our goal is to receive as many responses as possible – in order to do this, we need your help.  Please introduce the survey to any information security professional who has an opinion on this topic.   Feel free to publicize this on any mailing list, blog, industry group, or social media outlet that you believe would be relevent.    We trust you!

Goal:

At the RSA Conference, ISC2 announced their sponsored global workforce study (by Frost and Sullivan),  and they had over 10,000  (10,413 to be exact) respondents (which is significant).  72% were ISC2 members, while 28% were non-members.  However, I think that as a broader community, and with  a strong grass roots effort,  we (collectively) can do better.  

10,000 respondents would be a lofty goal, considering our lack of financial resources, however we are willing to bet that as a community we can rival this. 

It will be interesting to see if the data collected and attitudes reflected in this heterogenous survey would be consistent with some of the data collected in the ISC2 sponsored survey

The questions are thought provoking  and may border on controversial.    When the results are published, we are hopeful that we can share the attitudes of the community – and either reinforce the current state, or  inspire some meaningful change around this topic.

As always, the data will reign supreme.

Thanks for your help,

Lee and Mike

The Seminar will take place as follows:

Monday, February 14th , 12:30 – 5:00PM, Moscone Center – Orange Room 305

Then final panel will follow immediately after my presentation- – which begins at 3:30 – and will conclude at 5:00Pm.

The final presentation is really the showcase for the event.  The panel discussion will feature three accomplished Information Security Leaders, who will guide the audience through the evolution of their information security career, and provide insight and guidance to the audience on how to accelerate their own careers.

The participating CISO’s represent a variety of industry’s and have some very unique career progressions.  They include the following :

Patrick Heim - CISO Kaiser Permanente, former CISO McKesson

John Kirkwood- CISO Royal Ahold, fomer CISO American Express

Stephen Scharf - Global CISO Experian , former CSO Bloomberg

The topics that we will cover will include the following :

1) Key career decisions that impacted and accelerated their careers

2) How they select talent?  What they look for in interviews?  How they determine who gets promotions and more responsibility?

3) Their own professional development – through industry involvement, certifications, and advanced education and training

4) What the future holds for them?  What they see on the horizon?

5) General Advice to aspiring Information Security Leaders

All I can say is that it is very exciting to bring this panel to the RSA audience.  The opportunity to gain insight into the careers of successful information security leaders, and in an open forum where the audience can receive unfiltered advice and guidance is a unique opportunity.

For all of the aspiring information security leaders out there, this panel is worth the price of admission alone.

Look forward to seeing you all.  Safe travels!

Lee and Mike

Session Date – February 14, 2011 (yep still Valentine’s Day)

Session Time- 2:30PM – 3:10PM

Location – Orange Room 305

Session Preview -”Making The A-List” - Written By Jeff Combs (guest blogger)

As a headhunter with over a decade of experience recruiting in Security, it’s my job to align the best candidates with the right opportunities.  It’s not an easy job, but one that can be very gratifying when you’re able to make a positive difference in people’s lives.  To be successful, a recruiter has to have a number of traits – empathy, listening skills, industry knowledge, the ability to earn trust and…the ability to think like a horse trader.

It’s a fact that companies will only pay to hire the best.  That’s why recruiters exist, to identify and attract talent that stands out from the rest of the crowd. Average doesn’t cut it.  So while I give everyone the benefit of the doubt, I can’t afford to represent anyone to my clients who isn’t a cut above their peers.  The candidates that I do advocate for have to be on the “A-list”.

What gets a candidate onto the A-list? There are roughly seven qualities that I look for when interviewing prospective candidates.  Some are “hard”, relating to a candidate’s skills and experience. Others are “soft” and focus on personal qualities. Taken as a whole, these qualities should tell a compelling story that will cause heads to nod and votes of confidence to be cast.

I’ll also describe a way of looking at your career and professional accomplishments that can have a big impact on how you present yourself and how hiring managers perceive you.  I refer to it as “Personal Product Management” and while not rocket surgery, it’s a simple way of making sure you’re headed in the right direction and conveying the right message.

A word of caution, for those seeking empirical data and quantitative metrics this may not be the session for you.  However, for those interested in hearing an insider’s perspective on what makes some succeed and many other’s fail, as well as some open discussion on ways to stand out from the crowd I think it will be time well spent.

I hope to see you there.

Jeff Combs